Insufficient Transport Layer Protection

Insufficient Transport Layer Protection Defined

Insufficient Transport Layer Protection is a security weakness caused by applications not taking any measures to protect network traffic.

During authentication, applications may use SSL/TLS, but they often fail to make use of it elsewhere in the application, thereby leaving data and session IDs exposed. Exposed data and session IDs can be intercepted, which means the application is vulnerable to exploit.

As OWASP states, "Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly."

Because many versions of SSL/TLS protocols are widely used across many deployed applications such as web browsing, electronic mail, Internet faxing, instant messaging, voice-over-IP (VoIP) and many other applications that communicate over the internet, insufficient transport layer protection is ninth on the OWASP Top 10 risks.

Key Concepts of Insufficient Transport Layer Protection

Anyone on the internet can monitor the network traffic of your users. Distinguishing If the application is on the internet, who knows how your users access it. Don’t forget back end connections.

Explaining Insufficient Transport Layer Protection Through Examples

Let's examine how Insufficient Transport Layer Protections cause damage by looking at one of the most basic examples of a CRLF attack: adding fake entries into log files. Suppose a vulnerable application accepts unsanitized or improperly neutralized data and writes it to a system log file. An attacker supplies the following input:

Hello, World
DATABASE ERROR: TABLE CORRUPTION

Because this error is fake, a sysadmin may waste a lot of time troubleshooting a non-existent error. An attacker could use this type of Trojan to distract the admin while attacking the system somewhere else.

Another way to illustrate how Insufficient Transport Layer Protections can cause severe harm is through an application that accepts a file name as user input and then executes a relatively harmless command on that file such as "ls –a ". If the application is vulnerable to Insufficient Transport Layer Protection because of improperly neutralized or unsanitized data input, an attacker could provide the following input:

fname
/bin/rm -rf /

This Insufficient Transport Layer Protection attack could wipe out the entire file system if the application were running with root privileges on a linux/unix system.

Preventing Insufficient Transport Layer Protections

Fortunately, Insufficient Transport Layer Protections are easy to prevent. Always follow the rule of never trusting user input. Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that would otherwise be visible to users in order to prevent the injection of CRLF sequences and their consequences.